C++: Add tests and accept test changes.

MathiasVP · MathiasVP · commit e97f977ad7ef · 2026-05-21T16:54:10.000+01:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.c
@@ -59,3 +59,70 @@ int main(int argc, char **argv) {
 
 	return 0;
 }
+
+typedef void *va_list;
+typedef void *_locale_t;
+
+int vprintf(const char *format, va_list argptr);
+int _vprintf_l(const char *format, _locale_t locale, va_list argptr);
+
+int vfprintf(FILE *stream, const char *format, va_list argptr);
+int _vfprintf_l(FILE *stream, const char *format, _locale_t locale, va_list argptr);
+
+int vsnprintf(char *buffer, size_t count, const char *format, va_list argptr);
+int _vsnprintf(char *buffer, size_t count, const char *format, va_list argptr);
+int _vsnprintf_l(char *buffer, size_t count, const char *format, _locale_t locale, va_list argptr);
+
+int vsnprintf_s(
+	char *buffer, size_t sizeOfBuffer, size_t count, const char *format, va_list argptr
+);
+int _vsnprintf_s(
+	char *buffer, size_t sizeOfBuffer, size_t count, const char *format, va_list argptr
+);
+int _vsnprintf_s_l(
+	char *buffer, size_t sizeOfBuffer, size_t count, const char *format, _locale_t locale,
+	va_list argptr
+);
+
+int vsprintf(char *buffer, const char *format, va_list argptr);
+int _vsprintf_l(char *buffer, const char *format, _locale_t locale, va_list argptr);
+
+int _vsprintf_p(char *buffer, size_t sizeInBytes, const char *format, va_list argptr);
+int _vsprintf_p_l(
+	char *buffer, size_t sizeInBytes, const char *format, _locale_t locale, va_list argptr
+);
+
+int vsprintf_s(char *buffer, size_t numberOfElements, const char *format, va_list argptr);
+int _vsprintf_s_l(
+	char *buffer, size_t numberOfElements, const char *format, _locale_t locale, va_list argptr
+);
+
+int _vscprintf_p(const char *format, va_list argptr);
+int _vscprintf_p_l(const char *format, _locale_t locale, va_list argptr);
+
+void test() {
+	// BAD: User input flowing to various printf-like functions.
+	char fmt[1024];
+	char out[1024];
+	va_list args = 0;
+	_locale_t locale = 0;
+	fread(fmt, sizeof(char), 1024, f);
+	vprintf(fmt, args); // BAD
+	_vprintf_l(fmt, locale, args); // BAD
+	vfprintf(f, fmt, args); // BAD
+	_vfprintf_l(f, fmt, locale, args); // BAD
+	vsnprintf(out, 1024, fmt, args); // BAD
+	_vsnprintf(out, 1024, fmt, args); // BAD
+	_vsnprintf_l(out, 1024, fmt, locale, args); // BAD
+	vsnprintf_s(out, 1024, 1024, fmt, args); // BAD
+	_vsnprintf_s(out, 1024, 1024, fmt, args); // BAD
+	_vsnprintf_s_l(out, 1024, 1024, fmt, locale, args); // BAD
+	vsprintf(out, fmt, args); // BAD
+	_vsprintf_l(out, fmt, locale, args); // BAD
+	_vsprintf_p(out, 1024, fmt, args); // BAD
+	_vsprintf_p_l(out, 1024, fmt, locale, args); // BAD
+	vsprintf_s(out, 1024, fmt, args); // BAD
+	_vsprintf_s_l(out, 1024, fmt, locale, args); // BAD
+	_vscprintf_p(fmt, args); // BAD
+	_vscprintf_p_l(fmt, locale, args); // BAD
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/funcs/funcsLocal.expected
@@ -11,6 +11,24 @@ edges
 | funcsLocal.c:52:2:52:16 | *... = ... | funcsLocal.c:53:9:53:11 | ** ... | provenance |  |
 | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:52:2:52:16 | *... = ... | provenance |  |
 | funcsLocal.c:57:2:57:14 | ... = ... | funcsLocal.c:58:9:58:10 | *e1 | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:110:10:110:12 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:111:13:111:15 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:112:14:112:16 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:113:17:113:19 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:114:23:114:25 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:115:24:115:26 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:116:26:116:28 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:117:31:117:33 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:118:32:118:34 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:119:34:119:36 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:120:16:120:18 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:121:19:121:21 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:122:25:122:27 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:123:27:123:29 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:124:24:124:26 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:125:27:125:29 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:126:15:126:17 | *fmt | provenance |  |
+| funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:127:17:127:19 | *fmt | provenance |  |
 nodes
 | funcsLocal.c:16:8:16:9 | fread output argument | semmle.label | fread output argument |
 | funcsLocal.c:17:9:17:10 | *i1 | semmle.label | *i1 |
@@ -31,6 +49,25 @@ nodes
 | funcsLocal.c:53:9:53:11 | ** ... | semmle.label | ** ... |
 | funcsLocal.c:57:2:57:14 | ... = ... | semmle.label | ... = ... |
 | funcsLocal.c:58:9:58:10 | *e1 | semmle.label | *e1 |
+| funcsLocal.c:109:8:109:10 | fread output argument | semmle.label | fread output argument |
+| funcsLocal.c:110:10:110:12 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:111:13:111:15 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:112:14:112:16 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:113:17:113:19 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:114:23:114:25 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:115:24:115:26 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:116:26:116:28 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:117:31:117:33 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:118:32:118:34 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:119:34:119:36 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:120:16:120:18 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:121:19:121:21 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:122:25:122:27 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:123:27:123:29 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:124:24:124:26 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:125:27:125:29 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:126:15:126:17 | *fmt | semmle.label | *fmt |
+| funcsLocal.c:127:17:127:19 | *fmt | semmle.label | *fmt |
 subpaths
 #select
 | funcsLocal.c:17:9:17:10 | *i1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:17:9:17:10 | *i1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
@@ -41,3 +78,21 @@ subpaths
 | funcsLocal.c:47:9:47:11 | ** ... | funcsLocal.c:46:7:46:9 | gets output argument | funcsLocal.c:47:9:47:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:46:7:46:9 | gets output argument | string read by gets |
 | funcsLocal.c:53:9:53:11 | ** ... | funcsLocal.c:52:8:52:11 | *call to gets | funcsLocal.c:53:9:53:11 | ** ... | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:52:8:52:11 | *call to gets | string read by gets |
 | funcsLocal.c:58:9:58:10 | *e1 | funcsLocal.c:16:8:16:9 | fread output argument | funcsLocal.c:58:9:58:10 | *e1 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | funcsLocal.c:16:8:16:9 | fread output argument | string read by fread |
+| funcsLocal.c:110:10:110:12 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:110:10:110:12 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vprintf(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:111:13:111:15 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:111:13:111:15 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vprintf_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:112:14:112:16 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:112:14:112:16 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vfprintf(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:113:17:113:19 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:113:17:113:19 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vfprintf_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:114:23:114:25 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:114:23:114:25 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vsnprintf(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:115:24:115:26 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:115:24:115:26 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsnprintf(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:116:26:116:28 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:116:26:116:28 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsnprintf_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:117:31:117:33 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:117:31:117:33 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vsnprintf_s(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:118:32:118:34 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:118:32:118:34 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsnprintf_s(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:119:34:119:36 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:119:34:119:36 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsnprintf_s_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:120:16:120:18 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:120:16:120:18 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vsprintf(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:121:19:121:21 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:121:19:121:21 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsprintf_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:122:25:122:27 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:122:25:122:27 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsprintf_p(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:123:27:123:29 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:123:27:123:29 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsprintf_p_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:124:24:124:26 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:124:24:124:26 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to vsprintf_s(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:125:27:125:29 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:125:27:125:29 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vsprintf_s_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:126:15:126:17 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:126:15:126:17 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vscprintf_p(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
+| funcsLocal.c:127:17:127:19 | *fmt | funcsLocal.c:109:8:109:10 | fread output argument | funcsLocal.c:127:17:127:19 | *fmt | The value of this argument may come from $@ and is being used as a formatting argument to _vscprintf_p_l(format). | funcsLocal.c:109:8:109:10 | fread output argument | string read by fread |
